How to Lose Customers with Excessive Security

thanksajdotcom

@thanksaj said:

@scottalanmiller said:

@Hubtech said:

our family account, which i rarely log into, has SFA, and it NEVER works. terrible.

My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.

Do you clear your cookies?

Whenever I use incognito mode, or clear my cookies, I have to reverify with Chase. If those cookies aren't present, that's why.

scottalanmiller

@thanksaj said:

So you're telling me if I block Dropbox and my user copies a file that's sensitive to a flash drive because they want to work on it from a non-secured home PC to a flash drive it's my fault because I've locked down security policy too much? BULL!!! This statement is so blatantly wrong and lacks any kind of understanding about good security policy within an organization it's embarrassing!

If you block secure options, don't block insecure options and fail to provide good, secure options then yes, totally your fault for causing people to work around security to do their jobs. No different than onerous password policies. It's the ones making the policies triggering bad behaviour in many cases.

scottalanmiller

@thanksaj said:

@scottalanmiller said:

@Hubtech said:

our family account, which i rarely log into, has SFA, and it NEVER works. terrible.

My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.

Do you clear your cookies?

Nope, never.

scottalanmiller

@thanksaj said:

Whenever I use incognito mode, or clear my cookies, I have to reverify with Chase. If those cookies aren't present, that's why.

I've honestly never used incognito.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

@scottalanmiller said:

@Hubtech said:

our family account, which i rarely log into, has SFA, and it NEVER works. terrible.

My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.

Do you clear your cookies?

Nope, never.

And you don't have anything like CCleaner or something being run?

scottalanmiller

@thanksaj said:

And you don't have anything like CCleaner or something being run?

Very rarely, nothing scheduled.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

So you're telling me if I block Dropbox and my user copies a file that's sensitive to a flash drive because they want to work on it from a non-secured home PC to a flash drive it's my fault because I've locked down security policy too much? BULL!!! This statement is so blatantly wrong and lacks any kind of understanding about good security policy within an organization it's embarrassing!

If you block secure options, don't block insecure options and fail to provide good, secure options then yes, totally your fault for causing people to work around security to do their jobs. No different than onerous password policies. It's the ones making the policies triggering bad behaviour in many cases.

Exactly. IF someone should have the ability to work from home, and their work computer is a desktop, they need to be provided a company laptop with a VPN connection, and need to be saving their work to a central location, like a NAS or a file server. Blocking cloud storage is often the smart course of action. But if you fail to provide a means for users who SHOULD BE ALLOWED to work from home to work from home, then I agree that users will use a flash drive and that's a huge risk. However, if users want to use a flash drive because they want to work from their personal PC and bypass existing policies, that's an HR issue, not an IT one.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

And you don't have anything like CCleaner or something being run?

Very rarely, nothing scheduled.

Maybe your bank keeps changing the cookie for whatever reason so that it doesn't pick up on the previous one...I know your primary bank is a fairly small institution so anything's possible...

scottalanmiller

@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.

thanksajdotcom

@scottalanmiller said:

@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.

Yeah, but if someone has a legitimate need for USB devices at times, then that can be bad. Granted, that's a niche situation, especially in the age of digital delivery and sneakernet is not as prevalent anymore (thought still used some), it shouldn't be as common.

scottalanmiller

@thanksaj said:

@scottalanmiller said:

@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.

Yeah, but if someone has a legitimate need for USB devices at times, then that can be bad. Granted, that's a niche situation, especially in the age of digital delivery and sneakernet is not as prevalent anymore (thought still used some), it shouldn't be as common.

Block USB storage, not USB completely.

http://support.microsoft.com/kb/823732

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

@scottalanmiller said:

@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.

Yeah, but if someone has a legitimate need for USB devices at times, then that can be bad. Granted, that's a niche situation, especially in the age of digital delivery and sneakernet is not as prevalent anymore (thought still used some), it shouldn't be as common.

Block USB storage, not USB completely.

http://support.microsoft.com/kb/823732

Like I said, there are times that there might be a legitimate need for someone to access a USB storage device. Telling people that copying work files to a USB drive to work from a non-work computer or any other desired policies is an HR issue, not an IT one.

scottalanmiller

@thanksaj said:

Like I said, there are times that there might be a legitimate need for someone to access a USB storage device. Telling people that copying work files to a USB drive to work from a non-work computer or any other desired policies is an HR issue, not an IT one.

So you think it is okay to blanket block cloud storage but not USB? That makes no sense. There is far more likely to be a legitimate need to access cloud storage than USB storage. And it is far less risky to do cloud than USB. Few things are as risky as USB.

Why would you give one the benefit of the doubt and not the other? Why do you feel one is an IT issue and the other an HR issue? Both are equally HR concerns tied to IT capabilities to block.

However, one is modern and sensible to use much of the time. The other is not. One can have corporate controls on it, the other reasonably cannot.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

Like I said, there are times that there might be a legitimate need for someone to access a USB storage device. Telling people that copying work files to a USB drive to work from a non-work computer or any other desired policies is an HR issue, not an IT one.

So you think it is okay to blanket block cloud storage but not USB? That makes no sense. There is far more likely to be a legitimate need to access cloud storage than USB storage. And it is far less risky to do cloud than USB. Few things are as risky as USB.

Why would you give one the benefit of the doubt and not the other? Why do you feel one is an IT issue and the other an HR issue? Both are equally HR concerns tied to IT capabilities to block.

However, one is modern and sensible to use much of the time. The other is not. One can have corporate controls on it, the other reasonably cannot.

USB still has its uses, although the age of flash drives and sneakernet is nearing its final end.

scottalanmiller

@thanksaj said:

USB still has its uses, although the age of flash drives and sneakernet is nearing its final end.

"Still has its uses" is a handy excuse. But this isn't about if something "has a use", it's that you are out of hand accepting blocking anything modern without considering that it has its uses while not accepting blocking of a less useful, more risky, legacy storage mode whose use is likely less than 1% that of cloud storage.

Regardless of it either has any use, your acceptance of the one and willingness to block the other don't match. Why is the one that makes less sense okay and the one that makes more sense not okay?

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

USB still has its uses, although the age of flash drives and sneakernet is nearing its final end.

"Still has its uses" is a handy excuse. But this isn't about if something "has a use", it's that you are out of hand accepting blocking anything modern without considering that it has its uses while not accepting blocking of a less useful, more risky, legacy storage mode whose use is likely less than 1% that of cloud storage.

Regardless of it either has any use, your acceptance of the one and willingness to block the other don't match. Why is the one that makes less sense okay and the one that makes more sense not okay?

The fact is that the answer of totally blocking both is likely not the best answer. Some things are still given to people via USB because of the size of the file(s). If you have a 64GB flash drive, and have 50GB of data, it's a lot quicker to give it to someone via a flash drive than via a download from any cloud storage provider.

Having an HR policy that makes sense for your organization and then having IT put the necessary blocks in effect to assist in enforcing it is the best policy. It's not that there is any one master right or wrong answer. It would vary company to company.

scottalanmiller

@thanksaj said:

The fact is that the answer of totally blocking both is likely not the best answer.

I don't understand. If you are okay blocking the useful one of the two, why would it ever be allowed to not block the less useful and more risky? This just doesn't make sense. If you are willing to block cloud storage you should be blocking USB by default, no question. Blocking only one doesn't make any general sense. Blocking both or neither, does.

scottalanmiller

@thanksaj said:

Some things are still given to people via USB because of the size of the file(s). If you have a 64GB flash drive, and have 50GB of data, it's a lot quicker to give it to someone via a flash drive than via a download from any cloud storage provider.

Because you are working as an IT professional in a business that doesn't have a network? What kind of scenario are you picturing here?

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

The fact is that the answer of totally blocking both is likely not the best answer.

I don't understand. If you are okay blocking the useful one of the two, why would it ever be allowed to not block the less useful and more risky? This just doesn't make sense. If you are willing to block cloud storage you should be blocking USB by default, no question. Blocking only one doesn't make any general sense. Blocking both or neither, does.

Scott, just drop it. This discussion has run its course.